Share
FacebookFacebook icon TwitterTwitter icon LinkedInLinkedIn icon Email
How vulnerable supply chains deliver a world of trouble

Magazine

How vulnerable supply chains deliver a world of trouble

Published 7 November 2022 in Magazine • 6 min read

Manufacturers are for the first time bearing the brunt of cyberattacks. Defending a company’s downstream supply chains is just as important as making the core business cybersecure. 

The vulnerability of supply chains has been thrust into the spotlight by a series of crises, from Russia’s invasion of Ukraine to the increasingly severe effects of climate change, coming on top of pandemic-related disruptions and shipping bottlenecks. But these are not the only threats that need tackling. 

Manufacturing companies are increasingly concerned about the significant risks to supply chains from cybercrime.Last year, manufacturers suffered the brunt of the attacks, overtaking financial services and insurance as the most targeted industry,according to IBM’s X-Force Threat Intelligence Index 2022. 

The stakes have been raised by the interconnectivity of global supply chains, with several big manufacturing groups suffering production bottlenecks because of cyber breaches in their wider supplier networks that hobbled their supply chains.   

And the risk to manufacturers has only been heightened by the rush to install digital technologies in order to improve productivity on the factory floor. Automation technologies, such as robotics and the Internet of Things (IoT), have increased the attack surface for hackers, introducing new points of vulnerability. 

In building up supply-chain resilience, company executives face numerous challenges — including how to introduce manufacturing technologies for automation securely, and how to evaluate and tackle weaknesses in their wider supplier networks.Cyberattacks are becoming a systemic risk, but organizations can take steps today to protect their supply chains as manufacturing becomes increasingly digitized. 

One of the major challenges that companies face is the management of third-party security threats, which are usually a weak point.Smaller suppliers do not have the financial resources of larger companies, making them easier targets for hackers.According to the Hiscox Cyber Readiness Report 2022,firms with revenues of $100,000 to $500,000 now suffer as many attacks as larger groups with income of between $1 million and $9 million. At the same time, the report notes that IT spending is down for smaller companies, leaving many exposed. 

For the small- and medium-sized firms that form the backbone of most developed economies,the challenge is getting the right level of support and expertise.And because a supply chain is only as strong as its weakest link, knocking out just one critical supplier can cripple an entire supply chain. 

Automation technologies, such as robotics and the Internet of Things, have increased the attack surface for hackers, introducing new points of vulnerability

A case in point is Toyota. Earlier this year, one of the automaker’s critical suppliers of plastic parts and electronic components suffered a suspected cyber breach.This forced the auto giant’s Japanese factories to shut for a day, hitting output of about 13,000 vehicles. 

For big producers like Toyota, part of the solution will be reviewing their supplier networks to unearth vulnerabilities in their cyber defenses. Information security should also become part of the screening process for new suppliers.Because these suppliers could number in the hundreds or even thousands, it can be difficult to assess all vendors, and firms tend to do a poor job of it. 

Usually, companies will require a prospective new supplier to present a cybersecurity certification. For example,ISO 27001 is one of the most popular information security standards, which enables suppliers to signify to their customers and partners that their firm’s infrastructure meets their expectations. This is a good starting point, but companies need to go much further in reviewing the cyber-resilience of their supplier networks. 

Very often, security certifications only protect operations that work independently of wider networks, but the emphasis must shift to protecting interconnected systems. Rarely are existing security standards comprehensive enough for the fourth industrial revolution, or Industry 4.0. 

As well as updating these certifications, best practice for manufacturing groups should include employing teams of security experts — or using external consultants — to qualify new vendors. This must include carrying out proper mapping of the factory floor to ensure there are robust security processes in place. 

One of the major challenges that companies face is the management of third-party security threats ... smaller suppliers do not have the financial resources of larger companies, making them easier targets for hackers

Service providers, including law and consultancy firms, require the same due diligence that you would focus on suppliers involved in the making of a product. In particular, the legal sector holds vast quantities of sensitive corporate data that hackers can target, putting them at risk of a cyberattack. They are also often easy prey because many law firms use outdated IT systems and have been slow to adopt security policies. 

Likewise, manufacturing companies are behind the curve in terms of their cyber protections relative to other industries. The financial services and technology sectors have relied on connected IT systems for years, making them more attuned to — and better prepared for — cyberattacks. Manufacturing companies need to strengthen their defenses as they embrace Industry 4.0 and begin to link their operations to the internet to improve output and productivity. 

The other challenges are more conceptual. The dangers of cyberattacks are often under-appreciated, with executives bemoaning the high costs of security protections. One reason is that some breaches don’t have to be made public and therefore go unreported, creating a false sense of security among business leaders. 

This comes as the perpetrators of cybercrime are becoming increasingly sophisticated — ranging from private criminal groups to state-backed hackers, who can cause major disruptions and have a large financial impact on multinationals. 

This happened in 2017when the two consumer goods giants,Mondelez Internationaland Reckitt Benckiser,were hit by the Petya malware that infected their organizations and disrupted operationsand earnings.Mondelez, which makes Oreo cookies and Cadbury chocolates,took a financial hit of more than $100m. 

Beyond that, a growing issue for manufacturers is intellectual property (IP) crime — when hackers steal and sell patents, trademarks, or industrial designs to third parties, or use them to make counterfeit goods for sale on the black market.The threat to IP can also come from within organizations: employees unintentionally sharing private data on unsecure networks, deliberately stealing data for commercial gain, or seeking revenge on an employer they resent. 

In this environment, companies need to create layers of defenses around not only their technology but their people.Most breaches come down to human error, omission or negligence. In “smart factories”, special attention must be paid to production engineers, who are designing, building and maintaining all the systems, including automated machines. 

Every connected device on the factory floor should be linked securely to the on-site gateway that receives their data, in order to prevent network access from people without permission.Unfortunately, devices are rarely secured, with many owners continuing to use default passwords. Given that these are usually simple and publicly documented, default passwords give hackers a simple route into the corporate network. 

Clearly, strong cybersecurity education is a must. However, smaller suppliers seldom have the budget or expertise to deliver this training. So companies may need to support their supplier network by offering education themselves, in order to manage the upstream risk in the supply chain. As well as this, the providers of technologies for automation also have a role to play in advising customers about the right protections, so they can use their systems with confidence. 

In the years ahead, more manufacturing companies are likely to automate and digitize production processes to boost their competitiveness. But they will need the right protections in place to mitigate the growing cyber-risk to supply chains.

Authors

Stephen Phipson

Chief Executive of Make UK

Stephen Phipson became Chief Executive of Make UK in 2017, having previously held the position of Head of the Defense and Security Organization at the Department for International Trade. Before that, he was Director for Security Industry Engagement within the Office for Security and Counter Terrorism at the UK government’s Home Office, where he was the Senior Responsible Owner for the UK security industry. 

Related

CEO Dialogue with Danone

Nurturing sustainable growth at Danone

21 March 2023 in Magazine

Antoine de Saint-Affrique, in a frank and open discussion with IMD President Jean-François Manzoni, explains his no-nonsense approach to problem-solving, the importance of speaking the truth, however uncomfortable, and knowing when it’s...

Learn Brain Circuits

Join us for daily exercises focusing on issues from team building to developing an actionable sustainability plan to personal development. Go on - they only take five minutes.
 
Read more 

Explore Leadership

What makes a great leader? Do you need charisma? How do you inspire your team? Our experts offer actionable insights through first-person narratives, behind-the-scenes interviews and The Help Desk.
 
Read more

Join Membership

Log in here to join in the conversation with the I by IMD community. Your subscription grants you access to the quarterly magazine plus daily articles, videos, podcasts and learning exercises.
 
Sign up

You have 4 of 5 articles left to read.